Document SysCfb_GetFbPtr bug #2586

mzxrules · 2025-06-04T03:25:51Z

Contributions made in this pr are licensed under CC0

src/code/graph.c

Dragorn421 · 2025-06-07T00:56:53Z

src/code/graph.c

+    //! @bug fbIdx is a signed integer that can overflow into the negatives. When compiled with a C99+ compiler or IDO,
+    //! the remainder operator will yield -1 for odd negative values of fbIdx.
+    //! This results in an out of bounds array access in SysCfb_GetFbPtr due to the negative index value,
+    //! which will crash the game.


I'd suggest something like

Suggested change

//! which will crash the game.

//! which will most likely read an invalid pointer (a NULL pointer in the case of all matching versions) and crash the game when trying to render to that "framebuffer".

to not make it sound like it's the OoB access which directly crashes the game

yea this is why i didn't bother stating that it crashes the game. It should be pretty obvious that fetching the color framebuffer pointer from an unintended memory address would lead to devastating consequences.

may as well not leave things up to interpretation though, right

To me, there isn't a good reason to explain what happens past the OOBs read. When you go beyond that point, there are so many different possible outcomes to consider, none of which are consistent, and none of which are important if your goal is to fix the bug.

Where I think I could be clearer is I could state that the oobs read happens when trying to retrieve the next framebuffer pointer. I think knowing that the color framebuffer pointer is being set to a garbage value is enough on it's own to hint that bad things are going to happen soon.

I dont see why we have to "hint" at anything. Its perfectly okay to say what will probably happen.

Well, I don't know what would "probably" happen once the framebuffer ptr is assigned to garbage data.

what dragorn wrote is fine.

Document SysCfb_GetFbPtr bug

922389f

fig02 reviewed Jun 4, 2025

View reviewed changes

src/code/graph.c Outdated Show resolved Hide resolved

cleaner comment

8cbdc70

Dragorn421 approved these changes Jun 6, 2025

View reviewed changes

Dragorn421 added the One approval Has one approval, can be merged in 48 hours if nothing else comes up label Jun 6, 2025

fig02 reviewed Jun 6, 2025

View reviewed changes

src/code/graph.c Show resolved Hide resolved

fig02 added the Waiting for author There are requested changes that have not been addressed label Jun 6, 2025

fixes

74a415a

Dragorn421 reviewed Jun 7, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Document SysCfb_GetFbPtr bug #2586

Document SysCfb_GetFbPtr bug #2586

mzxrules commented Jun 4, 2025

Uh oh!

Uh oh!

Uh oh!

Dragorn421 Jun 7, 2025

Uh oh!

mzxrules Jun 7, 2025

Uh oh!

Dragorn421 Jun 7, 2025

Uh oh!

fig02 Jun 11, 2025

Uh oh!

mzxrules Jun 11, 2025

Uh oh!

fig02 Jun 12, 2025

Uh oh!

mzxrules Jun 12, 2025

Uh oh!

fig02 Jun 12, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

	//! which will crash the game.
	//! which will most likely read an invalid pointer (a NULL pointer in the case of all matching versions) and crash the game when trying to render to that "framebuffer".

Document SysCfb_GetFbPtr bug #2586

Are you sure you want to change the base?

Document SysCfb_GetFbPtr bug #2586

Conversation

mzxrules commented Jun 4, 2025

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants